* [PATCH] Inter-field comparisons between uid/euid and gid/egid @ 2011-12-11 19:04 Peter Moody 2011-12-12 14:27 ` Steve Grubb 0 siblings, 1 reply; 8+ messages in thread From: Peter Moody @ 2011-12-11 19:04 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2564 bytes --] Not sure if this is the right way to go about this, but I've got a couple of patches I'd like to be considered for inclusion. This builds off of Eric's patches from November. Specifically the following patches: [01/26] ( http://www.redhat.com/archives/linux-audit/2011-November/msg00019.html) [02/26] ( http://www.redhat.com/archives/linux-audit/2011-November/msg00020.html) [16/26] ( http://www.redhat.com/archives/linux-audit/2011-November/msg00034.html) [17/26] ( http://www.redhat.com/archives/linux-audit/2011-November/msg00035.html) [18/26] ( http://www.redhat.com/archives/linux-audit/2011-November/msg00036.html) [19/26] ( http://www.redhat.com/archives/linux-audit/2011-November/msg00037.html) [20/26] ( http://www.redhat.com/archives/linux-audit/2011-November/msg00038.html) Signed-off-by: Peter Moody <pmoody@google.com> --- include/linux/audit.h | 4 +++- kernel/auditsc.c | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 4c5437f..cce8f35 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -182,8 +182,10 @@ /* AUDIT_FIELD_COMPARE rule list */ #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 #define AUDIT_COMPARE_GID_TO_OBJ_GID 2 +#define AUDIT_COMPARE_UID_TO_EUID 3 +#define AUDIT_COMPARE_GID_TO_EGID 4 -#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_GID_TO_OBJ_GID +#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_GID_TO_EGID /* Rule fields */ /* These are useful when checking the * task structure at task creation time diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 2be8bf3..08c8736 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -514,6 +514,24 @@ static int audit_field_compare(struct task_struct *tsk, return audit_compare_id(cred, offsetof(struct cred, gid), name, offsetof(struct audit_names, gid), f, ctx); + case AUDIT_COMPARE_UID_TO_EUID: + if(name) + return audit_comparator(cred->euid, f->op, cred->uid); + else if(ctx) { + struct audit_names *n; + list_for_each_entry(n, &ctx->names_list, list) + return audit_comparator(cred->euid, f->op, cred->uid); + } + break; + case AUDIT_COMPARE_GID_TO_EGID: + if(name) + return audit_comparator(cred->egid, f->op, cred->gid); + else if(ctx) { + struct audit_names *n; + list_for_each_entry(n, &ctx->names_list, list) + return audit_comparator(cred->egid, f->op, cred->gid); + } + break; default: return 0; } -- 1.7.3.1 -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 [-- Attachment #1.2: Type: text/html, Size: 5480 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] Inter-field comparisons between uid/euid and gid/egid 2011-12-11 19:04 [PATCH] Inter-field comparisons between uid/euid and gid/egid Peter Moody @ 2011-12-12 14:27 ` Steve Grubb 2011-12-12 16:35 ` Peter Moody 0 siblings, 1 reply; 8+ messages in thread From: Steve Grubb @ 2011-12-12 14:27 UTC (permalink / raw) To: linux-audit On Sunday, December 11, 2011 02:04:24 PM Peter Moody wrote: > Not sure if this is the right way to go about this, but I've got a couple > of patches I'd like to be considered for inclusion. I think we really want all permutations covered so we don't revisit this every month or two. -Steve ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] Inter-field comparisons between uid/euid and gid/egid 2011-12-12 14:27 ` Steve Grubb @ 2011-12-12 16:35 ` Peter Moody 2011-12-12 17:48 ` Steve Grubb 0 siblings, 1 reply; 8+ messages in thread From: Peter Moody @ 2011-12-12 16:35 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 635 bytes --] On Mon, Dec 12, 2011 at 6:27 AM, Steve Grubb <sgrubb@redhat.com> wrote: > On Sunday, December 11, 2011 02:04:24 PM Peter Moody wrote: > > Not sure if this is the right way to go about this, but I've got a couple > > of patches I'd like to be considered for inclusion. > > I think we really want all permutations covered so we don't revisit this > every > month or two. > Ok. Do you want me to include subj_user/obj_user, subj_role/obj_role, subj_type/obj_type as well or just the uid/fsuid, gid/fsgid, uid/suid, gid/sgid? Cheers, peter > -Steve > -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 [-- Attachment #1.2: Type: text/html, Size: 1273 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] Inter-field comparisons between uid/euid and gid/egid 2011-12-12 16:35 ` Peter Moody @ 2011-12-12 17:48 ` Steve Grubb 2011-12-14 0:17 ` Peter Moody 0 siblings, 1 reply; 8+ messages in thread From: Steve Grubb @ 2011-12-12 17:48 UTC (permalink / raw) To: Peter Moody; +Cc: linux-audit On Monday, December 12, 2011 11:35:25 AM Peter Moody wrote: > On Mon, Dec 12, 2011 at 6:27 AM, Steve Grubb <sgrubb@redhat.com> wrote: > > On Sunday, December 11, 2011 02:04:24 PM Peter Moody wrote: > > > Not sure if this is the right way to go about this, but I've got a > > > couple of patches I'd like to be considered for inclusion. > > > > I think we really want all permutations covered so we don't revisit this > > every > > month or two. > > Ok. Do you want me to include subj_user/obj_user, subj_role/obj_role, > subj_type/obj_type as well No, the MAC subsystems should be able to log that themselves. > or just the uid/fsuid, gid/fsgid, uid/suid, gid/sgid? Closer. All permutations of uid and gid being able to compare against either object or process credentials. Like auid!=ouid or auid!=uid. Thanks, -Steve ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] Inter-field comparisons between uid/euid and gid/egid 2011-12-12 17:48 ` Steve Grubb @ 2011-12-14 0:17 ` Peter Moody 2011-12-14 20:32 ` Steve Grubb 0 siblings, 1 reply; 8+ messages in thread From: Peter Moody @ 2011-12-14 0:17 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit On Mon, Dec 12, 2011 at 9:48 AM, Steve Grubb <sgrubb@redhat.com> wrote: > Closer. All permutations of uid and gid being able to compare against either > object or process credentials. Like auid!=ouid or auid!=uid. Ok, I think I got them all. This is the kernel change to allow comparison between the various uids (uid, euid, suid, fsuid, loginuid, obj_uid) and the various gids (gid, egid, sgid, fsgid). One other possible catch is that loginuid and auid seem to already be used interchangeably. I've referred to as auid where I could just because it's shorter. I hope that isn't too confusing. I've got a little more work to do on the user-land component, and I haven't been able to get the LIST_RULES to list the first field of the interfield comparisons. I'll keep poking at that, but I suspect it requires deeper auditd knowledge than I can muster (at least for now). This still requires the same patches from Eric that I mentioned in my first email Cheers, peter Signed-off-by: Peter Moody <pmoody@google.com> --- include/linux/audit.h | 37 ++++++++++++++-- kernel/auditsc.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 140 insertions(+), 11 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 4c5437f..72f00d2 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -180,10 +180,39 @@ #define AUDIT_UNUSED_BITS 0x07FFFC00 /* AUDIT_FIELD_COMPARE rule list */ -#define AUDIT_COMPARE_UID_TO_OBJ_UID 1 -#define AUDIT_COMPARE_GID_TO_OBJ_GID 2 - -#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_GID_TO_OBJ_GID +#define AUDIT_COMPARE_UID_TO_OBJ_UID 1 +#define AUDIT_COMPARE_GID_TO_OBJ_GID 2 +#define AUDIT_COMPARE_EUID_TO_OBJ_UID 3 +#define AUDIT_COMPARE_EGID_TO_OBJ_GID 4 +#define AUDIT_COMPARE_AUID_TO_OBJ_UID 5 +#define AUDIT_COMPARE_SUID_TO_OBJ_UID 6 +#define AUDIT_COMPARE_SGID_TO_OBJ_GID 7 +#define AUDIT_COMPARE_FSUID_TO_OBJ_UID 8 +#define AUDIT_COMPARE_FSGID_TO_OBJ_GID 9 + +#define AUDIT_COMPARE_UID_TO_AUID 10 +#define AUDIT_COMPARE_UID_TO_EUID 11 +#define AUDIT_COMPARE_UID_TO_FSUID 12 +#define AUDIT_COMPARE_UID_TO_SUID 13 + +#define AUDIT_COMPARE_AUID_TO_FSUID 14 +#define AUDIT_COMPARE_AUID_TO_SUID 15 +#define AUDIT_COMPARE_AUID_TO_EUID 16 + +#define AUDIT_COMPARE_EUID_TO_SUID 17 +#define AUDIT_COMPARE_EUID_TO_FSUID 18 + +#define AUDIT_COMPARE_SUID_TO_FSUID 19 + +#define AUDIT_COMPARE_GID_TO_EGID 20 +#define AUDIT_COMPARE_GID_TO_FSGID 21 +#define AUDIT_COMPARE_GID_TO_SGID 22 + +#define AUDIT_COMPARE_EGID_TO_FSGID 23 +#define AUDIT_COMPARE_EGID_TO_SGID 24 +#define AUDIT_COMPARE_SGID_TO_FSGID 25 + +#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_SGID_TO_FSGID /* Rule fields */ /* These are useful when checking the * task structure at task creation time diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 2be8bf3..a1ead88 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -458,9 +458,9 @@ static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree) return 0; } -static int audit_compare_id(const struct cred *cred, +static int audit_compare_id(const void *cred, unsigned long cred_offset, - struct audit_names *name, + void *name, unsigned long name_offset, struct audit_field *f, struct audit_context *ctx) @@ -506,14 +506,114 @@ static int audit_field_compare(struct task_struct *tsk, switch (f->val) { + /* obj_uid/obj_gid comparisons */ case AUDIT_COMPARE_UID_TO_OBJ_UID: - return audit_compare_id(cred, offsetof(struct cred, uid), - name, offsetof(struct audit_names, uid), + return audit_compare_id((void*)cred, offsetof(struct cred, uid), + (void*)name, offsetof(struct audit_names, uid), f, ctx); case AUDIT_COMPARE_GID_TO_OBJ_GID: - return audit_compare_id(cred, offsetof(struct cred, gid), - name, offsetof(struct audit_names, gid), - f, ctx); + return audit_compare_id((void*)cred, offsetof(struct cred, gid), + (void*)name, offsetof(struct audit_names, gid), + f, ctx); + case AUDIT_COMPARE_EUID_TO_OBJ_UID: + return audit_compare_id((void*)cred, offsetof(struct cred, euid), + (void*)name, offsetof(struct audit_names, uid), + f, ctx); + case AUDIT_COMPARE_EGID_TO_OBJ_GID: + return audit_compare_id((void*)cred, offsetof(struct cred, egid), + (void*)name, offsetof(struct audit_names, gid), + f, ctx); + case AUDIT_COMPARE_AUID_TO_OBJ_UID: + return audit_compare_id((void*)tsk, offsetof(struct task_struct, loginuid), + (void*)name, offsetof(struct audit_names, uid), + f, ctx); + case AUDIT_COMPARE_SUID_TO_OBJ_UID: + return audit_compare_id((void*)cred, offsetof(struct cred, suid), + (void*)name, offsetof(struct audit_names, uid), + f, ctx); + case AUDIT_COMPARE_SGID_TO_OBJ_GID: + return audit_compare_id((void*)cred, offsetof(struct cred, sgid), + (void*)name, offsetof(struct audit_names, gid), + f, ctx); + case AUDIT_COMPARE_FSUID_TO_OBJ_UID: + return audit_compare_id((void*)cred, offsetof(struct cred, fsuid), + (void*)name, offsetof(struct audit_names, uid), + f, ctx); + case AUDIT_COMPARE_FSGID_TO_OBJ_GID: + return audit_compare_id((void*)cred, offsetof(struct cred, fsgid), + (void*)name, offsetof(struct audit_names, gid), + f, ctx); + /* uid comparisons */ + case AUDIT_COMPARE_UID_TO_AUID: + return audit_compare_id((void*)cred, offsetof(struct cred, uid), + (void*)tsk, offsetof(struct task_struct, loginuid), + f, ctx); + case AUDIT_COMPARE_UID_TO_EUID: + return audit_compare_id((void*)cred, offsetof(struct cred, uid), + (void*)cred, offsetof(struct cred, euid), + f, ctx); + case AUDIT_COMPARE_UID_TO_FSUID: + return audit_compare_id((void*)cred, offsetof(struct cred, uid), + (void*)cred, offsetof(struct cred, fsuid), + f, ctx); + case AUDIT_COMPARE_UID_TO_SUID: + return audit_compare_id((void*)cred, offsetof(struct cred, uid), + (void*)cred, offsetof(struct cred, suid), + f, ctx); + /* auid comparisons */ + case AUDIT_COMPARE_AUID_TO_FSUID: + return audit_compare_id((void*)tsk, offsetof(struct task_struct, loginuid), + (void*)cred, offsetof(struct cred, fsuid), + f, ctx); + case AUDIT_COMPARE_AUID_TO_SUID: + return audit_compare_id((void*)tsk, offsetof(struct task_struct, loginuid), + (void*)cred, offsetof(struct cred, suid), + f, ctx); + case AUDIT_COMPARE_AUID_TO_EUID: + return audit_compare_id((void*)tsk, offsetof(struct task_struct, loginuid), + (void*)cred, offsetof(struct cred, euid), + f, ctx); + /* euid comparisons */ + case AUDIT_COMPARE_EUID_TO_SUID: + return audit_compare_id((void*)cred, offsetof(struct cred, euid), + (void*)cred, offsetof(struct cred, suid), + f, ctx); + case AUDIT_COMPARE_EUID_TO_FSUID: + return audit_compare_id((void*)cred, offsetof(struct cred, euid), + (void*)cred, offsetof(struct cred, fsuid), + f, ctx); + /* suid comparisons */ + case AUDIT_COMPARE_SUID_TO_FSUID: + return audit_compare_id((void*)cred, offsetof(struct cred, suid), + (void*)cred, offsetof(struct cred, fsuid), + f, ctx); + /* gd comparisons */ + case AUDIT_COMPARE_GID_TO_EGID: + return audit_compare_id((void*)cred, offsetof(struct cred, gid), + (void*)cred, offsetof(struct cred, egid), + f, ctx); + case AUDIT_COMPARE_GID_TO_FSGID: + return audit_compare_id((void*)cred, offsetof(struct cred, gid), + (void*)cred, offsetof(struct cred, fsgid), + f, ctx); + case AUDIT_COMPARE_GID_TO_SGID: + return audit_compare_id((void*)cred, offsetof(struct cred, gid), + (void*)cred, offsetof(struct cred, sgid), + f, ctx); + /* egid comparisons */ + case AUDIT_COMPARE_EGID_TO_FSGID: + return audit_compare_id((void*)cred, offsetof(struct cred, egid), + (void*)cred, offsetof(struct cred, fsgid), + f, ctx); + case AUDIT_COMPARE_EGID_TO_SGID: + return audit_compare_id((void*)cred, offsetof(struct cred, egid), + (void*)cred, offsetof(struct cred, sgid), + f, ctx); + /* sgid comparison */ + case AUDIT_COMPARE_SGID_TO_FSGID: + return audit_compare_id((void*)cred, offsetof(struct cred, sgid), + (void*)cred, offsetof(struct cred, fsgid), + f, ctx); default: return 0; } -- 1.7.3.1 -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] Inter-field comparisons between uid/euid and gid/egid 2011-12-14 0:17 ` Peter Moody @ 2011-12-14 20:32 ` Steve Grubb 2011-12-22 16:32 ` Peter Moody 0 siblings, 1 reply; 8+ messages in thread From: Steve Grubb @ 2011-12-14 20:32 UTC (permalink / raw) To: Peter Moody, Eric Paris; +Cc: linux-audit On Tuesday, December 13, 2011 07:17:51 PM Peter Moody wrote: > > Closer. All permutations of uid and gid being able to compare against > > either object or process credentials. Like auid!=ouid or auid!=uid. > > Ok, I think I got them all. Thanks. Eric, any comments? -Steve ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] Inter-field comparisons between uid/euid and gid/egid 2011-12-14 20:32 ` Steve Grubb @ 2011-12-22 16:32 ` Peter Moody 2011-12-24 21:51 ` Steve Grubb 0 siblings, 1 reply; 8+ messages in thread From: Peter Moody @ 2011-12-22 16:32 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 712 bytes --] On Wed, Dec 14, 2011 at 12:32 PM, Steve Grubb <sgrubb@redhat.com> wrote: > On Tuesday, December 13, 2011 07:17:51 PM Peter Moody wrote: > > > Closer. All permutations of uid and gid being able to compare against > > > either object or process credentials. Like auid!=ouid or auid!=uid. > > > > Ok, I think I got them all. > > Thanks. Eric, any comments? > Is there anything else that I can do to help the case for this patch (and did you want the updated version that allowed auditctl -l to work with the interfield comparisons? the only change to kernel land was to put these in range of the other audit fields) Cheers, peter -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 [-- Attachment #1.2: Type: text/html, Size: 1143 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] Inter-field comparisons between uid/euid and gid/egid 2011-12-22 16:32 ` Peter Moody @ 2011-12-24 21:51 ` Steve Grubb 0 siblings, 0 replies; 8+ messages in thread From: Steve Grubb @ 2011-12-24 21:51 UTC (permalink / raw) To: Peter Moody; +Cc: linux-audit On Thursday, December 22, 2011 11:32:11 AM Peter Moody wrote: > On Wed, Dec 14, 2011 at 12:32 PM, Steve Grubb <sgrubb@redhat.com> wrote: > > On Tuesday, December 13, 2011 07:17:51 PM Peter Moody wrote: > > > > Closer. All permutations of uid and gid being able to compare against > > > > either object or process credentials. Like auid!=ouid or auid!=uid. > > > > > > Ok, I think I got them all. > > > > Thanks. Eric, any comments? > > Is there anything else that I can do to help the case for this patch (and > did you want the updated version that allowed auditctl -l to work with the > interfield comparisons? Not really, I think its just a bad time of the year to get quick results. :) > the only change to kernel land was to put these in range of the other audit > fields) I'll be doing some more testing on this in January. Consider the patch more or less accepted. We want that functionality. -Steve ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2011-12-24 21:51 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-12-11 19:04 [PATCH] Inter-field comparisons between uid/euid and gid/egid Peter Moody 2011-12-12 14:27 ` Steve Grubb 2011-12-12 16:35 ` Peter Moody 2011-12-12 17:48 ` Steve Grubb 2011-12-14 0:17 ` Peter Moody 2011-12-14 20:32 ` Steve Grubb 2011-12-22 16:32 ` Peter Moody 2011-12-24 21:51 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox